Lab instruments may be leaking patient data, study finds
Lab instruments may be leaking valuable information and therefore pose an unlikely but real security threat, according to a study by University of California researchers.
WHY IT MATTERS
The new report noted the cyber-physical nature of biotechnology workflows has created new security risks, which the research community has mostly neglected.
The researchers, including Philip Brisk, a UC Riverside associate professor of computer science, and UC Irvine electrical and computer engineering professor Mohammad Abdullah Al Faruque, recommend labs using DNA synthesizing machines institute security measures.
These include strictly controlling access to the machines and removing innocuous-seeming recording devices left nearby, including mobile devices like smartphones.
“Any active machine emits a trace of some form: physical residue, electromagnetic radiation, acoustic noise, et cetera,” Brisk said in a statement. “The amount of information in these traces is immense, and we have only hit the tip of the iceberg in terms of what we can learn and reverse engineer about the machine that generated them.”
The researchers discovered that speakers similar to smartphone speakers were able to determine what a DNA synthesizer was producing from the sounds its components made as it went through its manufacturing routine.
DNA synthesizers contain components that open and close to release chemicals as they manufacture each of these bases, mechanisms that make distinctive sounds as they work.
Through a careful feature engineering and bespoke machine-learning algorithm written in the lab, the researchers were able to pinpoint those differences in sound, which allow them to identified the correct type of DNA.
The researchers say that by listening in a knowledgeable observer could tell if the machine was making anthrax, smallpox, or Ebola DNA, for example, or a commercially valuable DNA intended to be a trade secret.
The report warned that if this type of information was exposed, then an attacker may be able to create a contagious virus that is fatal to individuals or a small group, but otherwise benign to the general population.
Al Faruque noted that while a study has already been published on a similar method for stealing plans of objects being fabricated in 3D printers, this DNA synthesizer attack is potentially much more serious.
ON THE RECORD
“The take-home message for bioengineers is that we have to worry about these security issues when we’re designing instruments,” William Grover, a bioengineering professor at UC Riverside, said in a statement.
Because almost all machines used in biomedical research make some kind of sound the risk from hackers could conceivably be applied to any machine.
Another recent example was the ability to encode information into a DNA sequence that can trigger a buffer overflow error in DNA sequencing software — this exploit can be used to inject malware into the computer running the sequencing algorithm.
Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: firstname.lastname@example.org